[Snort-users] Problem getting a snort rule to work

Briggs, Bruce Bruce.Briggs at ...13183...
Thu Apr 14 06:37:41 EDT 2005

You are missing the source port in your alerts.
Alert tcp $SMTP_NET any*à any 25 (msg:"outgoing SMTP";)

From: snort-users-admin at lists.sourceforge.net [mailto:snort-users-admin at ...3204...ts.sourceforge.net] On Behalf Of Pennell, Ronald B.
Sent: Thursday, April 14, 2005 8:59 AM
To: snort-users at lists.sourceforge.net
Subject: [Snort-users] Problem getting a snort rule to work

I'm extremely new to snort and have been trying to get a simple snort rule to work.


I'm task with grabbing an alert for every email message that is going outbound from my organization.


I've tried using the following local rule:


Alert tcp $SMTP_NET --> any 25


Alert udp    "                    "     "


Alert tcp $HOME_Net      "   "


When I check the acid viewer, I see no traffic at all.


Any help would be greatly appreciated.


Ron Pennell

rpennell at ...13261...

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20050414/b0feae00/attachment.html>

More information about the Snort-users mailing list